935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
Size

3.6MB
MD5

d005b0060215cfb5307d6178ad7667c2
SHA1

e9568e05a7e21f7f3c08d9c85306868a4434f64f
SHA256

935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941
SHA512

be4be4fb90ec0fa30436d7849359a418cce354b1f2d031b08148b0016d9d1f729c64d42306f5523a2fb7542b90524af26816ae333cceefc8996112d366b7018e
SSDEEP

98304:FhsJUz5vIKvJdRu477EO8TRlaO1xG4k6:73bdR78TRM4k6

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1332	alg.exe
1760	DiagnosticsHub.StandardCollector.Service.exe
3108	fxssvc.exe
1504	elevation_service.exe
2980	elevation_service.exe
1784	maintenanceservice.exe
1920	msdtc.exe
3868	OSE.EXE
1044	PerceptionSimulationService.exe
4656	perfhost.exe
3912	locator.exe
3468	SensorDataService.exe
2096	snmptrap.exe
4032	spectrum.exe
2792	ssh-agent.exe
4300	TieringEngineService.exe
4712	AgentService.exe
3076	vds.exe
5004	vssvc.exe
440	wbengine.exe
3036	WmiApSrv.exe
2988	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe

description ioc process

File opened (read-only) \??\F: 935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe

description	ioc	process
File opened (read-only)	\??\F:	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe

Drops file in System32 directory 31 IoCs

Processes:

935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Windows\system32\msiexec.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Windows\System32\msdtc.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Windows\system32\spectrum.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Windows\system32\wbengine.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Windows\System32\vds.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Windows\system32\AgentService.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Windows\system32\vssvc.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fd52b20293b476c.bin	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

fxssvc.exeSearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000034ec712e1aaeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030c9b32f1aaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000409bfb2c1aaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b8915301aaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a585262d1aaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ab3382e1aaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000036afef2c1aaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000feb01c301aaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe

pid	process
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
Token: SeAuditPrivilege	3108	fxssvc.exe
Token: SeRestorePrivilege	4300	TieringEngineService.exe
Token: SeManageVolumePrivilege	4300	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4712	AgentService.exe
Token: SeBackupPrivilege	5004	vssvc.exe
Token: SeRestorePrivilege	5004	vssvc.exe
Token: SeAuditPrivilege	5004	vssvc.exe
Token: SeBackupPrivilege	440	wbengine.exe
Token: SeRestorePrivilege	440	wbengine.exe
Token: SeSecurityPrivilege	440	wbengine.exe
Token: 33	2988	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeDebugPrivilege	1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
Token: SeDebugPrivilege	1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
Token: SeDebugPrivilege	1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
Token: SeDebugPrivilege	1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
Token: SeDebugPrivilege	1880	935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
Token: SeDebugPrivilege	1332	alg.exe
Token: SeDebugPrivilege	1332	alg.exe
Token: SeDebugPrivilege	1332	alg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe

pid process

1880 935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2988 wrote to memory of 2732	2988	SearchIndexer.exe	SearchProtocolHost.exe
PID 2988 wrote to memory of 2732	2988	SearchIndexer.exe	SearchProtocolHost.exe
PID 2988 wrote to memory of 4504	2988	SearchIndexer.exe	SearchFilterHost.exe
PID 2988 wrote to memory of 4504	2988	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe
"C:\Users\Admin\AppData\Local\Temp\935ef7000ceca85eebebbabc8d8eaf38ef6c777fbf8db2cbc658bea31c078941.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1880

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3984

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1504

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2980

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1784

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1920

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3868

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1044

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4656

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3912

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3468

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2096

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4032

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2396

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3076

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:440

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3036

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2732

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4504

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
a756db0110aedfd3a8411b3ad2b388fb

SHA1
01358b2b0c0124c9bb87f095ea33fb113c79e892

SHA256
e86e1048e35f8d00a14860653b9d23547be01d4b7fa6ac19cea75a795b73f60f

SHA512
68de64dc18269b6f7467914305263db55edd394a621ce3e133227141e4138e3f37b4760d3c20491d7d0f234ff7d8a515215240fe7bffc5e6a889bda6ffb805e8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
cbfa9db576777dc375330ff645af4091

SHA1
cd096eeeb8b0157e6c124604ef852b94528c1924

SHA256
f5c8aad6a1dd938c2a3eab21d6a330ee09bbee28fdd32ef83db2a89ea00eb6c0

SHA512
36eb98ba587c47907ded763ef7deecd3d1d0eba705e243cdb485ea8e662330bc98cc47ce61c2ac6703a7d64d7a9e96190eba1a7f0b5c6d693781f89a1c2c7de3

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
ce23ae437f058600c12c34ef54782b2d

SHA1
8a3aef64ad0c335fd9a65f469b7d39a644c3da1d

SHA256
05441d571c6b278e68a5e36cb54ff128d2fbf3cb62db6bb51eeee40793ffae94

SHA512
ea891f24d9b95de96391bb376f9022122a41e8c35a12ece0c73b8f54cc748b296fa13b03bbb233c382738932bf0f5a4842cd2dcd8ac3f331996f359c2ff78bf2

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
1ffee25f8d88c8b0a65a2ad51a0074fd

SHA1
77eea767c389eb3e63b98765cdff794d14eeef69

SHA256
1cac865cb470d5e5348ee370eb2a66411f4794c60c7f2547bd985c78832b5f1e

SHA512
9a3dfe6b821973b4d80ed3771a12bf436966ca97e1f98805f66fff8d0c6c8b67574863989deedea97bfeda8a3e9058ac25bfac4d7315e0a9c7ba4d727913baee

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
9aeaf62cb00cc60d9cc4c522f53ea2b6

SHA1
c12fdf36cd67dd70f600a79fc6191fbb843851cc

SHA256
fa2fe2bb8018b0f3463cc943e185425935bf37bf1608e13060dc418d53afabfb

SHA512
9ecc2ce691c525d8d873dcd393956b974be5fd19884ab29d5f9eec53e44b24d14607f4c7cc6515c705e7b994ed1c050b346bc657d0bdb35a626d69d17307e372

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
110949e09af501b2447608cc6e464e27

SHA1
b16fdf4b029a3dbb989b648d29f620e0fa69dd1b

SHA256
539cd069115c82596411424c3e48e3b0e5b5a229fefbae9689b14ff571575053

SHA512
9aa0fcef6daf69ac2f37ef6022628ffc5001763499b7a5d091fe9e84573e7d09ff62bbb7c7950c534d3b76ffb9d71ae3fb4cfd4191fea2e17f5eae8c7ed0ad81

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
bd24165bc58fe49046d41eed21b13b92

SHA1
3a25c548ff0f8124a245f8602f9f96b472ebc3ee

SHA256
00a99decca7ad481b82fa5c3c71c26f2fe938509e19344a9cfb31eabd7d54f48

SHA512
26ac4faf7ac49cd1cdd31b8597533df41980d96f85d3605a44fa5dc1a74d2ee5b4c35456e7558e4c57da1830276e62aab0eafe7a04555887f5d38727e68c6eee

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
dbc3c87c2acc1a2e81a69369a2ce6933

SHA1
65048c69ae39c08edd6053b812f1c9ade7187673

SHA256
b66222fccd2c92f26aa478192ddbb07e7526819799cbdeb9a37f81bc9a175d3f

SHA512
79fae89d49fd5fb91fc127fa3d7fbba95981eda390696955e5e03ac7b9290d245263483622f8757148d18b6365dab14401528b68590cfb4af594998957c4f0e3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
62ef60506ccd3720cf837437c4e305da

SHA1
9dfc944e9a3e70ee25c15ea153380ed7013b5228

SHA256
980bdfc084b99755d225c642dc7f464daf8721e80fae5de8c3e14fc25a1c90bd

SHA512
42a4c66587e95a88d48b0bfc28ad9024f08182d49aa566c4c57e443f8a10bbc624668638ae867e8a9cd0c0a26e42f77e686c5d6364c6051c718db26dd6b99990

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
0e42e0d203ec31d490d5fe858a036e8c

SHA1
46e49e355f4a10c421a198cec7e33d5df4d33b34

SHA256
2c04f4e3a66bf0e2ae4d2b485382c5ee6276c3eda2b2d4a2392502c9631f4f10

SHA512
c4e41825a99814f4529fb78cec7e2837d61e39bbc3468260efa09c3d4f730163ea1efd2cbcb5169dd27f64a38f1ad636d16e6b0c82dcd82578aa96d7e3a94053

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
934cc624b0e118a257d76ec08a8f0075

SHA1
adc670a066919f0a7bb29b1a317c69d08856fdc0

SHA256
91495511872bafbb5997d807d28e66fb23c1ff9ce7e555cb1e788196e1230f17

SHA512
18aa5f400cbfda4af2aca8fdd729f0c26acf6cfca7a0685d06f981f80c9a391f4a7dfd9af1f3daad601f2c99172946043c871c00811541deb233125aa6bc5bdc

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
a0c09c8878f7c976114ea7f6802489eb

SHA1
77da9b797afd3611a7e836719d2fd4cb5978ef9f

SHA256
06d08cdcb1040e72d9067fb541963858b60ba9f6bb0c20cf33257eeb93d9d19a

SHA512
758f89d1c01e996e4db8722754c3e18146bec6a37bf839b14824429c53a45e377e41f80223eaaa538f2555d7041c5a5cf78f298417cf7a05857e847e6b63f58e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
fbac1c044000995f7aecd5d823c65b26

SHA1
271a8bce1f344d27d1e1a578a05a911c5cf0d75c

SHA256
22c79e315dc185f84f1bcdc223c6a39ec99592934cd3114df8584ecaee20332d

SHA512
15974ea689b5068530e074f54b3c3bf9f8fd374a2e3a32c06f801dadc2c34548bc53d3be4bb26792e5820c86b953876328d5d438e369af3a9f2f6e33a31f6b29

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
ccd9da495877f3a32c406a129bf83502

SHA1
4464683a74f296bdf705a79e4064e9d92e481f59

SHA256
90ab54307c7aef6848aaf1716c392d456c0a51a60e3343c106adabc32c23378f

SHA512
8660944acfc4b6b6314dc2e9581e8f7694fc59153b4b993de27f611c26631d9ae119bc4e8cd56a1c0b1e4e0fb976b2fc5222ab977d58ee75863eecb2ec7f1af1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
12526b333acbc750c3a7d9a14ffb319e

SHA1
a00f2c474b56cea90c84dd64f9abdb2fc1fde351

SHA256
96763750f32cd519baff636dfc043bb0009adf61761f877ff1fc28cad143fb84

SHA512
be250d27f494c09a92fa0f4b1d033a3c8ca71465043d734c32f4d0de5c3b2350d1a896fa92af481d23f5d015f54ee2e63fa8b8ba7cacf0bc4e05b89083e01b90

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
1bfdd182b72a178c458a5390097e2c0f

SHA1
0e1ee251fef9d83e88bbe3b7aa84e63992997db7

SHA256
8de190a44c4ed2fc0021378f4f76c9fe61f13f03f48186bc85c9b3f8bbcfe31f

SHA512
355f5ba179716d74bc6b26cd1785be94098fa131fe8b12952275d45e4264d3af768b72f1396a9648f8d586a1f76058e1ac31e4c19b319446b4e7345e33e61e7a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
52ba48920a2ed8b6b65f5fb76ee413b0

SHA1
e3734d4ae92d50f7e89f7fff51778f9b8502fcf7

SHA256
9f7a60953b558de55f9639e39cba0d147ab65c3dfb8a13a989138ffafb44bba6

SHA512
f92c595310d9c5582f98e3d8761e21a5537ac44f214f873f4fc21028214a660760c3b67c2d51aa0c227179fb60a5edf2aa719be46a2f845eb8a9824859c0e98d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
85b3ec503486ca42c43635b1bbd54959

SHA1
1b9d30404ecfedea2b33c5a1c412b7a7e2ead0f7

SHA256
8e4902ea14c3f3d50db7c8d9eabb2be93a5dce344a3bbb63e1fd12ed0803cf80

SHA512
49bb95df6941f2695e798d4d26f91a7c271fc0f122886cb46ce969f794cae026a58ea87bd3ecfb507471bdb8c0e8e2dd9571f2c6916b63fac34eb4b24c25eaf4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
7e51cef8e96f85712a0d8e199c42944e

SHA1
42edbd9013b7d1f5f6c1afb021d60b5ee873266e

SHA256
b5f8bc34cae800e7f175efdef7e91a8cde1d09b4c60a574d90fd9a9ac9ce3938

SHA512
db870584ff1948bef8d7c0e29fc5eb057d85072018319bdac8bf5a068a33df42f82cfef357791d6d3eb105a7a9073159681d005d8f1da0ef4fa52dde8797ee86

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
eac66c3e4bcf20c51cd9e6f6947aae7c

SHA1
0d99ce3b513fcfc429c8e4c6135ad2c3a92ebdb9

SHA256
771618b15b031700aef3fabac0dd4f13ac7c80c323a67433e1984c199216e173

SHA512
7e291ea5505edb1ba3c6cbf8b869afaf2542fadb5a47f1cad7719e08e2f45c82acc2ff775ce1d51d4209cc75d8e0066adfc45b7e5e6749e569d1785f024b9501

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
4717b026a980d9ef28d8ed7c8a434982

SHA1
43724ec1cbe81370bf97d2866335005ef8eb182b

SHA256
e28c928707d502216d65f7ea690eeaaeb98e9cf5f8e855d50cd880c33229968b

SHA512
26ee1fcf024baa550a9c07fd6a1a977d8330adfc34bbae3e73cb29eccda89c51f2940f4df7f535a008ceeab6da642f99619b620e1e5df28bed70a16915344478

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
57f58607195799abd96df10b4ea9e0d4

SHA1
bdcc004d5fea98ee8bf81f6ae9a4f4da1c0221d3

SHA256
db305fa06649c0bff8b7d1740251a8d1757b0d52b3ec7908edea9f1d86aabcda

SHA512
e60dd8bb6a5f87f8d664fda728af53b50f7c5c4d666eb20b0f8c8158caf1135b7e8cc158ed2ab69adc5234fca4775d6d305c37cc8f6b59c879804ded704f544d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
71a8d356e4416a046ac3c28abfdfc8bf

SHA1
011ec4c374e905b677dfbed335dc85cf70e21d48

SHA256
055b48ad05213f83e29005be253e7dcd49c1a27a46f8978bb177f89af0f3380b

SHA512
5e4472ac0e3c56710719a05377da085618f78e4a10818eb8332e11c192e638521b289cf371150701fd9d43865beb4b3e81d64ab829ed7683a2980cf447b229e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
a231a88639fe605e674cf84a33075312

SHA1
f241127d9a87a7983bcfd6e4c9702eb53e5cd8e5

SHA256
327c2e6b9eedd92ff5598112955c6b1f1a7dfd167a19b5514933d4fba7637ff2

SHA512
dea13fdd29c77f28ec8bc2e482f460df1df1fc3e33ec050e8cd7bb3983b9689df0b5cff63f7439755fcae56ddbc3a39d8aa944f258b4d747ce431c7b6717a2fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
a86dc9c3b208544672b162a1cf2c46a4

SHA1
06680fbdc6daeb6e4b3ba5a63ade227f655f6316

SHA256
9c060c1bc7149092595d6ea9ada373b8d666a1f74f65e61c8e4567a0884b9cf8

SHA512
9afbe1a00bfbf290572bc137c14b62ca5f5d4882d6fdcfa892305b13858da5c10a1ff2bf2e32c879b301909d5bb2c221a6e99902f633424973dd448a265fc3a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
da09891d38a1caf3d9b14e57ffe4b2ec

SHA1
436a1a0d4cb72326d1d176d967059eb4e7508e29

SHA256
174c99bdea695cf2648c0ad2018d1bf39548a26dc08d02c2fe5347a1070edf38

SHA512
a44e8a0564e6f8c420d0b452b638c2a4ad53d32ddd4765dcba887456c3093a43fc012765ffd248696992e9d405c8e9570f1d26d6abc3aad52987c725bd51ff91

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
e718c63175bf089d48bd3bd2688aea76

SHA1
a2d0572449c882d8d8c39ebd699b5d39e74c93cd

SHA256
ff857c9f70b415050c1826c8d3e53d51428c3e68456730f6bf8adf18dfe08805

SHA512
0055d78d93e982e0f378dc7707f5f7124e18e127190e8abbcc6179a95b500056b3eb4f8db8e2732b17fcd517d2009962f930d675cdf1e7a55b69ff6560eace53

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.4MB

MD5
31abe4d1d386e31571f502387ac7a22f

SHA1
42526627dcfb971b0ba18b11fe20a859a74756f9

SHA256
d1f89788493ba91c063907976c3d5e92e8a1f652c32fc201092447aec06f0f69

SHA512
7594fb724ea5f7de382013409388626b4644a6f91617e5e240c8c5ba9a83a1352e7bcbf4938d2c8628a37e6603971613dedb9dfe9b378670193bbc92fb35033e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
c241b933103160a793bb609245bb99c9

SHA1
9da1135ce9e916c462f7ff4b88cb573f37437106

SHA256
97ae1fba1e56c97f883ab7870e4699e77f32fb8a9fc5c4d6263c65161999feec

SHA512
ab54fa36668f952a38af42a22f0365da94e99607bae49ac32c7bfa350841407c2ae15118c1eec66824bff419e14a176535b58f1a1ab9f888d89c9d54efd138a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
3e779296abb3fe9f7959edf7a199b614

SHA1
7a365e9c655e5784f1cccaf19eaf1ed0b5cf0356

SHA256
0c9ebf24daa3f5afa73ded775a45e1ae51a38992257d5eae0a81c6b0bc2a9b4b

SHA512
a7b0c07f6df14ec125c27cdf7ddbe990bcc64f7bd8cb9f0324a439ef9600dc69cd93095963546b692836a7ca8c002a8640a8e83b1b13dd824bd9f02d3bda727a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
edd87dd6477a75c3b6521a2f8ec237d1

SHA1
8cdf74991ea216abb686bb05cf52e42368fce9d1

SHA256
9cdc8cd2dc061da265176a23bc407b657b77e521371bc861c88f62f19d96975a

SHA512
f5afd0beca2f0cac65128d5509d1b076d25134640921f3d81ca8e52a64ac654c0c4a4762fca7e3e400a4506bad753138e3dfffcba6d43ccf054c0c27c4d6d2eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
3951edb9b83c703f76d94880836f6db9

SHA1
507058ec2514909894c4c44f0c1ce708538e9f55

SHA256
d2529aeeff8185569f8130602f67090f103c954cba1f004516fbf5ddacf2e25d

SHA512
8c7d6518b2d1cd32d1660c6aa1a6067df2405f56ed9584fdb767c2465d0d5c6213e6999d19ba5c77050adc905eeda79d152352a550657056385058576685e1ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
676f128d016ee7a1d0f0c0462b11690e

SHA1
57f5d1621b7ba533780c48f3805afba3ee8fbe58

SHA256
e282313c60d50e13a4853d7c867460cf21926e9714a3140a53cfbec2f14ef2f1

SHA512
6de3dd0e9e41aa2c4bd6e8460d9061d3263fbb3121b76f237f76d41c7e9fb75c0dc96a9b9ee8b76247f283fec16de60fb928877b68af59b42beaa3bdec96b81a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
fc0fce2be7800ebd1378b607319037a0

SHA1
6709aba76f31da8f4faf564a841d7f428dac3baa

SHA256
60e110a4728e56270fdf488b886d065ab995725b2edcbf894436ee6f3109c409

SHA512
d8e76ac0a41866003a10e32410f6472e69b62bf8ec82a130f148d39bc5e5ad05a0eb89416172fc6fd66f705c8129c1182390297170176ebd2dee850110cc0bef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.4MB

MD5
003a8afae2868076a9b0ad0645b04c02

SHA1
5e2ee3f75eb686c2d2d131d9c323b66f8b7097b2

SHA256
724155596417902182506c7e84512bb0e83627ed7f3f7e981149720d99269208

SHA512
665d3a5becea52e242f60055e10dca41c683f13e1901315ffe8eb2c0e8dd12bf648844bdf9f01dfc92eb31ae80c2d28eb48a90abb3f8b033585ac99828ff167e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
3ed719af3312b698cd3ac56cc2ce172f

SHA1
70170fce37692b245fc891bb5075b43449759707

SHA256
526423889e22780e550d11cc28da3666fc4c00b4f1764c118db55e6e0c1ba0d6

SHA512
3ead302cd6a80283d4415331bb6acee7a54100b9639e5d077d73eb217b937d77515b65541d7941611574bae315d5fc56c664321e7a76544713b39dd17b2e678c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
ec1939a98afb67e49ed20aec3eaa9388

SHA1
76de4786cb8119500ed425380712c21f1f4ea4b4

SHA256
4422ce26dc738c6de24eed69ecbceaf86971989b7d15a8f99b6595bbfc718834

SHA512
73319a744fe66bb43616abc77a7090cea032e7957060b455ca36593dc69678c6590872594a23c51afa08f71d69a07d29cbd9d0d5d8b1cbe30584b7f3859a1eca

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
7deaaf1bba5f8a0e5528857e336af5ad

SHA1
f69b3480b72a734d5e2b798ff51be27cc3e668fa

SHA256
9d2e62fdb0137ef0793129dc579fd4c9fdda916f43d53274b01e1a5e7064997c

SHA512
81483b254b82aa2eeca1237d4b8abf1ed637767eb4e91c4d0ae982a80a098a92753363d1a34224bf4a01ee6e893aba9346f65976961dbc6809aab97ba7938f29

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
877b1d8a74f133c5e842c82d4314b3e3

SHA1
3a29f48a32f9756a213480a5547fd392cd664842

SHA256
f2b8114854928e6dffb097ffec9689802bd984b5d1538cbbf722fed7dc7cf5f2

SHA512
c0043173fdebfd3c85de24a5de80d19d38a89576d64339a930d5c9d0652780131229365f6ca65eb28a50f87545bd941faf77599ef22383f3c9371764365655ad

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
21dfc32a0b95e6ac6687509f409ed66d

SHA1
a912608329b9a6dfb274c01c12b770372193dd9f

SHA256
72a5dccd4fec8d1775414421872b6351dd096e06f15eeb6085864bb07eb3a456

SHA512
ec5e254a080cbf4d48911bc3509dad27ab063693fa633fa7b1e146b0daa9e796c65870956a6f573dd43bb6b8c0956f10cb9d0970c4230a3ea4a69456ed26081c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
4957d034a61965e9a01dee66f0d2ba40

SHA1
e2a20f9de572c4a70d327b574d56df8f41b440ce

SHA256
96b6ff5e12bf4e2f6bc0ac65af855cce9e56b27c74e27a03f57974a957571983

SHA512
c1ceea926a0d134ccb0c87e219222700d25f39ab482518de71f7209f50f850b12803f20ec3fa69dfa03d967eed1b70bb8699b94777991d391ec600a7d91a24d3

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
985413246532542aa1cad94db30e819d

SHA1
4ac6e739ee2827bf25c8d50bad6f953965ff22a3

SHA256
97017cbb382e324979c66dc30fb526b70988c7d1672feb2689131fa35ce91dd3

SHA512
557a981bd2e67d1372822e9e4ab5b1e6ba33e6aeaee4819e0bf94460f00ac62003293ae90890cbbe8469453a9eece03c2b4f57cf7240384b973a859b6f2a8f35

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
996df6fc6c63421a53d935d1e3bf58ad

SHA1
ec80e60b87dcfeb3eb5cd7a3c46d9e14b5b9a0b1

SHA256
117631171a589db12a253ef6841f6ea2e7f001b63ed1601e2d36e6ce74f0a084

SHA512
4bf3eb455a005ac4277a5f85374fbf44d5a4970f811fb9b2e295a537c4ee9bf71d88d87b782891c9ffc3f4d559ded62e033d1a5d6623377d86aacc94863d13be

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
5a0aaf4870a4242ec2bb43f059268110

SHA1
35afe7d7106eae4768b7f3a555257e7a9c098115

SHA256
c57c4aa927743e31954c3207a0ba2baa6eb0a9174f77b05d4284563b15544b0b

SHA512
9a65e5ed7d764aa968ed2ce54df434eafa379e936b7df96f2a87ddd8a7ec394938c01c18a76dbf22a47a7fd3b9896d1d308100f8a146f897d0c4aa74a8a0cd06

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
f34d2bd296cbec5816f045c95d19b253

SHA1
9221096eeee664609391debe526885f3028f99f3

SHA256
6ab21224f0110c181658c96c4d8b71b2d5dd9cc60ffc63b400a8f97a5b6b9f4c

SHA512
43ba80111dcef2ccf0dbbcbf2eaaab5008dfaa1e92002d7d5351ffd0286a58cc3170b2e812d3e715e3badfb2c6001a5eae33ce7d49d6faad8badee04062afc4b

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
823c3868c6e081c5cd86730bf07134fe

SHA1
d2987c942339be997b176e12b84a17e557492582

SHA256
0a7a7d3dc0b185ac34d20d5b37317325be3326cbd587f908c993cc59f51ae069

SHA512
211598195e87fc65ff8d19ac5ac4650f7881f3523479bed229835910bde3ce123193d8d72c63a6cb1560c1d62a14c09b3340d89204d55a98dc7bdd46bd75f904

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
83187bf33d676039d9c9f4ed12e32cc7

SHA1
735fcfba548d0b9b0117271f44dab0d675bcf2fd

SHA256
7ca84b62ada56faddc68bf65d790408473d5ddc1c565f336d5fddb902abb2bd2

SHA512
2919913ebcaeee2c707b4f0ff75e9f0e6760c9f1ce944d45486dd7ac8ed14edf4a773f3659723676a0223c97ac90ac55b75e3136f1edcb2aacd03e3e55486e86

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
2eccb98758435c85820e20271e013fac

SHA1
701fdde1fe53dffe7c209d9c3351a0907656b52a

SHA256
580b362dbaa30bbbb7888fc021a28bdfa1d3cb8ed873eee521bec75d5b225ee3

SHA512
82c3fbcfa3def5ac2d034a7dd56440b08fa7800bfdc0c071acc64950159dd81bd4f5479738c2340134889d5907d44bf5cbdcb248ce689b103150f007d0567b42

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
2246fa2a1c3059596b9083dcc9fd883c

SHA1
5df30d8c218cf3b3876148b2203391b472523410

SHA256
b849f2e95e042710583660d53c39403b17dc439999af80c27a654f056a0bb871

SHA512
d5d6a88da5a42fdcf8de0b1193106298b96d6e6bab88492904f1f9351415f4af0b20200109513bad24bae1f2bc82fe1ece0a1df70ef2b3f4dc2c7298fc077247

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
12560a8a6cc4369c5bfb04e3a3650ec5

SHA1
ae0c097b8ff454ce630b95755ca8d78abf556020

SHA256
281347b901b198b3ffebea925d81c9f4bb14ba5c507599ef2d2bc0e36bbbe9bc

SHA512
953c1a121e5fb18524c4cd494a5cf1bfce2fa0a2dd7f909d0d45e5522557c2378f2f555eff785547ae5690508e31af97093b97b178e1d94c20fb3c96ac3a3fd6

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
85c265cde39c56befcb03b0c089f4fa8

SHA1
703dc37eebcdb01aefc813a3783d193ae557a946

SHA256
4eca802b26b0ba7f2038c5590533f67229e76175fea1185b2c37087fa3c45cd3

SHA512
0d133b6828597ee5ea19e53872890e980fe9f56a912f0396e981ecce3eb5fcf0f0bb02547989cb88fc85ed6e849ed85aa54ceb47bc9fffcfb2e2a75cf369593c

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
9d362ceb0bfc4ea89052f2f592b89c9a

SHA1
05e2c44666add021de9ee3cb62f0a277c5ef2c62

SHA256
760a4552903df063937c4e62b702f08978a150511b39d8023b2a5cdfd6292338

SHA512
ebd34b45fc2844d1c57880dbc40270d760b61e5a462a4ae9b71a7eab2f2fda4ab0b74ee177e0128fca1380528211827a5413a21b2f74ebda24f4259e52c25c89

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
644aeeb8c9f2d344bf80e9099085374f

SHA1
0ab80a07044245f559beba94da71bec866ee297d

SHA256
94688edda5cf7054b96169d77639e6d510e9dadf56b49d73406055a575f1ed4c

SHA512
90754f03909b97e692a863f26e6261894896328f12407eb167edd78fd60bebf8d296300eee815a5b8c500ac290def85ed8d236a6875173ab9bfe74196975727c

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
45559e9249420a76804121fa3930045f

SHA1
0695abb3987daa62e470c82a11799a31cee22c3f

SHA256
568f900b5bf2465227b1c236405b026480628db91a68cfcf204bca3d429888b4

SHA512
228b5a8566ae93e499dfe9870d425cb27734534efb818fdac1b2ac2679273adc65be435af0af27260879a561b9a61949618418a0b899a39917ccf9b774ae80ee

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
53477d1239978b3fd1d7f5036ecab978

SHA1
ac5dfe3b5bb37d48a4bf6200ee253fe004cf1b6c

SHA256
a76a85609c35d806bf218d7a713a2918dfa8004e4ce5bfc96144550b40d15299

SHA512
50affefce2976262bf6c475c2fdb10472a41729bdeec4f4003d6881778e8325d55676ff3c19970323a9d6c258b966d5ba1dfbb46c727c78cedafbeb051a0e93b

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
bdc8e269f6581c76592326b376f977ed

SHA1
6b2564bfeb034eefa608677ebde0ba5126ec12eb

SHA256
ad1b9bcd2d799828a2571147e2bba7c71037e43a59733bf82b22e6d55380d75f

SHA512
f2c05aca589830f8b070519cec0fd599a984352b9144e7e9f4337b7c1a2cb82cc10acc92a1addc426c673e32bb4eba49f8e32f4d4e88f73e21959c617cdd6cbd

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
c8b9af100ecf597f900ea4f8352b63f7

SHA1
e953518233044e48ff963b22f2783e7ecf1a6c55

SHA256
1ea08806120fae843ea9f0bc6464479508cc1aef99c644f9297295599c357db6

SHA512
ef579492240d259015d984225b86dfcc7dec938293c1c656a81dc828b5b55688f98ca438a55abe41a9316efba31f83f1d62c952965b1a330a12f6c6f9327cace

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
aaee0104ed550b1eafd21b1a80c7987d

SHA1
95e1236261a807645d66914f0fe30a95afbcaf76

SHA256
09fc5c56f25187dc1892093b1bd9ee41fb74cce5fad232576619a8a8b103841a

SHA512
12f1483b8264a1bdbdb78c482b989585ea14a8da4c46d22a1fe491b50e2bba2605c4b50ef89221e8237d00fea68966036ca5917ee3eec18de583a4e5c88b4033

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
f51e0b797223c76e45041c416e04d332

SHA1
be54995520e61cff1bd6ae48a21537c7d956658f

SHA256
da7fdfb8a9edb83c26a4f8ed642987a1d42d867932475ac02ea5b26c302c04ba

SHA512
a1260990d3e1dbadd9255a7546b9b4af11df239a00a3f386aad3c280a7da5805f24c575c5daf4a5efd7eb8ff40470a2937a1c67cb5235be7a39eb9606fd680ff

Download Submit
memory/440-269-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1044-125-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1044-580-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1332-23-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1332-113-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1332-22-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1332-15-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1504-481-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1504-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1504-57-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1504-51-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1760-28-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1760-38-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1760-152-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1760-37-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1784-85-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1784-82-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/1784-77-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/1784-89-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1784-87-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/1880-100-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/1880-8-0x0000000000DA0000-0x0000000000E07000-memory.dmp

Filesize
412KB

Download
memory/1880-1-0x0000000000DA0000-0x0000000000E07000-memory.dmp

Filesize
412KB

Download
memory/1880-0-0x0000000000400000-0x00000000007A7000-memory.dmp

Filesize
3.7MB

Download
memory/1920-101-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1920-91-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2096-262-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2792-264-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2980-579-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2980-72-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2980-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2980-65-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2988-600-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2988-271-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3036-599-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3036-270-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3076-266-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3108-61-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3108-63-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3108-47-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3108-41-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3108-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3468-478-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3468-155-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3868-114-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3912-154-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4032-263-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4300-265-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4656-153-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4712-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5004-268-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download